diff --git a/CHANGES b/CHANGES
index 0e2440074d..7bc19c2924 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2773.	[bug]		In autosigned zones, the SOA could be signed
+			with the KSK. [RT #20628]
+
 	--- 9.7.0b3 released ---
 
 2772.	[security]	When validating, track whether pending data was from
diff --git a/bin/named/update.c b/bin/named/update.c
index d7a054beb2..a31606a4a9 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.168 2009/11/09 01:28:32 each Exp $ */
+/* $Id: update.c,v 1.169 2009/11/18 21:22:31 each Exp $ */
 
 #include <config.h>
 
@@ -1926,7 +1926,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			if (type == dns_rdatatype_dnskey) {
 				if (!KSK(keys[i]) && keyset_kskonly)
 					continue;
-			} else if (!KSK(keys[i]))
+			} else if (KSK(keys[i]))
 				continue;
 		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
 			continue;
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index ea26c1e5ff..1473360003 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.529 2009/11/12 23:47:59 tbox Exp $ */
+/* $Id: zone.c,v 1.530 2009/11/18 21:22:31 each Exp $ */
 
 /*! \file */
 
@@ -4586,7 +4586,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 			if (type == dns_rdatatype_dnskey) {
 				if (!KSK(keys[i]) && keyset_kskonly)
 					continue;
-			} else if (!KSK(keys[i]))
+			} else if (KSK(keys[i]))
 				continue;
 		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
 				continue;